From owner-freebsd-security  Thu Dec 12 06:58:43 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id GAA15569
          for security-outgoing; Thu, 12 Dec 1996 06:58:43 -0800 (PST)
Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id GAA15553
          for <freebsd-security@FreeBSD.ORG>; Thu, 12 Dec 1996 06:58:40 -0800 (PST)
Received: by halloran-eldar.lcs.mit.edu; (5.65v3.2/1.1.8.2/19Aug95-0530PM)
	id AA24275; Thu, 12 Dec 1996 09:58:36 -0500
Date: Thu, 12 Dec 1996 09:58:36 -0500
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <9612121458.AA24275@halloran-eldar.lcs.mit.edu>
To: Stephen Fisher <lithium@cia-g.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) 
In-Reply-To: <Pine.BSI.3.95.961212073226.2381E-100000@maslow.cia-g.com>
References: <199612110432.UAA10905@root.com>
	<Pine.BSI.3.95.961212073226.2381E-100000@maslow.cia-g.com>
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

<<On Thu, 12 Dec 1996 07:32:56 -0700 (MST), Stephen Fisher <lithium@cia-g.com> said:

> Can't the hacker just recompile the kernel with bpf support and then use
> it, though?

Not if you run at security level 2, make all the files in /bin, /sbin,
/usr/bin, and /usr/sbin, and some of the files in /etc and / system
immutable, and make all those directories plus / and /dev system
append-only.  If you're running a public-access shell system, you most
certainly should do just that.  (It's a big hassle for ordinary users,
which is why we don't ship systems that way.)

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, ANA, or NSA|                     - Susan Aglukark and Chad Irschick